Keep getting "35 - error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca" when trying to validate merchant using Apple Pay Web

Question

Created Mar ’21

Replies 3

Boosts 0

Views 3.0k

Participants 4

TLDR: I can't pass merchant validation for some reason and think it might be either

I have been struggling trying to make my Apple Pay application work for over a month now and have finally decided to ask for some help.

Errors I get when building:

curlError: "unable to set private key file: '/home2/mattmson/public_html/gwApplePayDev/certs/gwApplePay.key.pem' type PEM"
Unhandled Promise Rejection: InvalidAccessError: The object does not support the operation or argument

The errors I am getting from my curl_test.php file:

Code Block cURL Error 
35 - error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
 Verbose information 
*   Trying 17.171.78.7:443...
* Connected to apple-pay-gateway.apple.com (17.171.78.7) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
* Closing connection 0

Which leads me to believe it might be...

a problem with the certs ( followed tutorial from https://github.com/norfolkmustard/ApplePayJS )
a problem with the file permissions on my server
a problem with my cUrl attempts

Boost

Answer 1

HossamMonir OP

Mar ’21

I have the same problem here , if you solve it please share solution with me asap.

0

Answer 2

Abdullah1212 OP

Apr ’21

Having same issue. Please share if you find the solution.

0

Answer 3

Systems Engineer OP

Apple

Apr ’21

This typically indicates a client authentication failure when communicating with the Apple Pay servers to receive your payment session with your Merchant Identity Certificate.

Where to go from here:

1) Make sure that you have a valid Apple Pay Merchant Identity Certificate and you are not using an old or revoked one.

2) Take a look at your server's verbose access logs to see if there is any more information about why the failure is taking place. For example, sometimes this will indicate that the server could not access your certificate etc...

3) Make sure you are using your server side APIs correctly to perform client authentication.

4) Make sure you are using TLS 1.2 with a trusted leaf certificate. Notice in your error:

CAfile: /etc/pki/tls/certs/ca-bundle.crt
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

Make sure your server is not trying to negotiate TLS 1.1 and can successfully build a chain of trust (your trust store is at /etc/pki/tls/certs/) with the leaf certificate that the Apple Pay servers are sending in the Server Hello.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0